TECHNOLOGY RISK MANAGEMENT GUIDELINES

1 Monetary Authority of Singapore TECHNOLOGY RISK MANAGEMENT GUIDELINES JUNE 2013 TECHNOLOGY RISK MANAGEMENT GUIDELINES JUNE 2013 MONETARY AUTHORITY OF SINGAPORE 2 TABLE OF CONTENTS 1 INTRODUCTION .. 4 2 APPLICABILITY OF THE 5 3 OVERSIGHT OF TECHNOLOGY risks BY BOARD OF DIRECTORS AND SENIOR MANAGEMENT .. 6 Roles and Responsibilities .. 6 IT Policies, Standards and Procedures .. 6 People Selection Process .. 7 IT Security Awareness .. 7 4 TECHNOLOGY RISK MANAGEMENT FRAMEWORK .. 8 Information System Assets .. 8 Risk Identification .. 8 Risk Assessment .. 9 Risk Treatment .. 9 Risk Monitoring and Reporting ..10 5 MANAGEMENT OF IT OUTSOURCING risks ..11 Due Diligence ..11 Cloud Computing ..12 6 ACQUISITION AND DEVELOPMENT OF INFORMATION SYSTEMS.

2 14 IT Project MANAGEMENT ..14 Security Requirements and Testing ..14 Source Code Review ..15 End User Development ..16 7 IT SERVICE MANAGEMENT ..17 Change MANAGEMENT ..17 Program Migration ..18 Incident MANAGEMENT ..18 Problem MANAGEMENT ..21 Capacity MANAGEMENT ..21 8 SYSTEMS RELIABILITY, AVAILABILITY AND RECOVERABILITY ..22 Systems Availability ..22 Disaster Recovery Plan ..22 Disaster Recovery Testing ..24 TECHNOLOGY RISK MANAGEMENT GUIDELINES JUNE 2013 MONETARY AUTHORITY OF SINGAPORE 3 Data Backup MANAGEMENT ..24 9 OPERATIONAL INFRASTRUCTURE SECURITY MANAGEMENT ..26 Data Loss Prevention ..26 TECHNOLOGY Refresh MANAGEMENT ..27 Networks and Security Configuration Vulnerability Assessment and Penetration Testing.

3 29 Patch MANAGEMENT ..29 Security Monitoring ..30 10 DATA CENTRES PROTECTION AND Threat and Vulnerability Risk Assessment ..31 Physical Security ..31 Data Centre Resiliency ..32 11 ACCESS CONTROL ..33 User Access MANAGEMENT ..33 Privileged Access MANAGEMENT ..34 12 ONLINE FINANCIAL SERVICES ..36 Online Systems Security ..36 Mobile Online Services and Payments Security ..38 13 PAYMENT CARD SECURITY (AUTOMATED TELLER MACHINES, CREDIT AND DEBIT CARDS) ..40 Payment Card Fraud ..40 ATMs and Payment Kiosks Security ..42 14 IT AUDIT ..43 Audit Planning and Remediation Tracking ..43 APPENDIX A: SYSTEMS SECURITY TESTING AND SOURCE CODE REVIEW ..44 APPENDIX B: STORAGE SYSTEM RESILIENCY ..47 APPENDIX C: CRYPTOGRAPHY ..49 APPENDIX D: DISTRIBUTED DENIAL-OF-SERVICE PROTECTION.

4 51 APPENDIX E: SECURITY MEASURES FOR ONLINE SYSTEMS ..53 APPENDIX F: CUSTOMER PROTECTION AND EDUCATION ..55 TECHNOLOGY RISK MANAGEMENT GUIDELINES JUNE 2013 MONETARY AUTHORITY OF SINGAPORE 4 1 INTRODUCTION The advancement of information TECHNOLOGY ( IT ) has brought about rapid changes to the way businesses and operations are being conducted in the financial industry. IT is no longer a support function within a financial institution1 ( FI ) but a key enabler for business strategies including reaching out to and meeting customer needs. Financial systems and networks supporting FIs business operations have also grown in scope and complexity over the years. FIs offering a diversity of products and services could have their financial systems operating in multiple locations and supported by different service providers.

5 FIs are also faced with the challenge of keeping pace with the needs and preferences of consumers who are getting more IT-savvy and switching to internet and mobile devices for financial services, given their speed, convenience and ease of use. Increasingly, FIs are deploying more advanced TECHNOLOGY and online systems, including internet banking systems, mobile banking and payment systems, online trading platforms and insurance portals, to reach their customers. In this regard, FIs should fully understand the magnitude and intensification of TECHNOLOGY risks from these systems. They should also put in place adequate and robust risk MANAGEMENT systems as well as operating processes to manage these risks .

6 The TECHNOLOGY Risk MANAGEMENT GUIDELINES (the GUIDELINES ) set out risk MANAGEMENT principles and best practice standards to guide the FIs in the following: a. Establishing a sound and robust TECHNOLOGY risk MANAGEMENT framework; b. Strengthening system security, reliability, resiliency, and recoverability; and c. Deploying strong authentication to protect customer data, transactions and systems. While the GUIDELINES are not legally binding, the degree of observance with the spirit of the GUIDELINES by an FI is an area of consideration in the risk assessment of the FI by MAS. 1 Financial institution has the same meaning as in section 27A(6) of the Monetary Authority of Singapore Act (Cap.)

7 186). TECHNOLOGY RISK MANAGEMENT GUIDELINES JUNE 2013 MONETARY AUTHORITY OF SINGAPORE 5 2 APPLICABILITY OF THE GUIDELINES The GUIDELINES are statements of industry best practices which FIs are expected to adopt. The GUIDELINES do not affect, and should not be regarded as a statement of the standard of care owed by FIs to their customers. Where appropriate, FIs may adapt these GUIDELINES , taking into account the diverse activities they engage in and the markets in which they conduct transactions. FIs should read the GUIDELINES in conjunction with relevant regulatory requirements and industry standards. The objective of the GUIDELINES is to promote the adoption of sound practices and processes for managing TECHNOLOGY .

8 TECHNOLOGY RISK MANAGEMENT GUIDELINES JUNE 2013 MONETARY AUTHORITY OF SINGAPORE 6 3 OVERSIGHT OF TECHNOLOGY risks BY BOARD OF DIRECTORS AND SENIOR MANAGEMENT IT is a core function of many FIs. When critical systems fail and customers cannot access their accounts, an FI s business operations may immediately come to a standstill. The impact on customers would be instantaneous, with significant consequences to the FI, including reputational damage, regulatory breaches, revenue and business losses. In view of the importance of the IT function in supporting an FI s business, the board of directors and senior MANAGEMENT should have oversight of TECHNOLOGY risks and ensure that the organisation s IT function is capable of supporting its business strategies and objectives.

9 Roles and Responsibilities The board of directors and senior MANAGEMENT should ensure that a sound and robust TECHNOLOGY risk MANAGEMENT framework is established and maintained. They should also be involved in key IT decisions. They should also be fully responsible for ensuring that effective internal controls and risk MANAGEMENT practices are implemented to achieve security, reliability, resiliency and recoverability. The board of directors and senior MANAGEMENT should give due consideration to cost-benefit issues, including factors such as reputation, customer confidence, consequential impact and legal implications, with regard to investment in controls and security measures for computer systems, networks, data centres ( DC ), operations and backup facilities.

10 IT Policies, Standards and Procedures FIs should establish IT policies, standards and procedures, which are critical components of the framework, to manage TECHNOLOGY risks and safeguard information system assets2 in the organisation. Due to rapid changes in the IT operating and security environment, policies, standards and procedures should be regularly reviewed and updated. 2 Information systems assets refer to data, systems, network devices and other IT equipment. TECHNOLOGY RISK MANAGEMENT GUIDELINES JUNE 2013 MONETARY AUTHORITY OF SINGAPORE 7 Compliance processes should be implemented to verify that IT security standards and procedures are enforced. Follow-up processes should be implemented so that compliance deviations are addressed and remedied on a timely basis.